What privacy lessons can we learn from Online Dating

March 2021

Here are our top 10 tips…

Recently, I was joined by John Mitchison from DMA and Chris Field from Harte Hanks in Texas to talk about privacy issues in the online dating industry. DPN are now Associate members of the Online Dating Association, the International trade body for dating businesses, and we were delighted to speak to their members on this topic.

The discussion was wide ranging – here are my ten lessons:

1. International data protection laws appear to be converging

We know EU GDPR has set the bar high but we can see that, to an extent, this is being replicated in some states in US, most notably California. It’s also clear with the Biden/Harris presidential team there will be a greater focus on protecting privacy and the possible introduction of a Federal data protection law.

The fact the UK is likely to be granted adequacy is another reason to believe high data protection standards are here to stay.

2. Questions around trust and transparency will increase

Since the introduction of GDPR and the start of the Covid pandemic the wider population has an increased awareness of privacy questions. People know their rights and there’s an increasing awareness of data breaches.

Being open and transparent is a core principle of GDPR and, to build trust, more businesses will treat trust as a core operating principle.

3. Special category data must be handled carefully

A lot of very personal information is shared through an online dating account and some of it will be considered special category data. This is, anything to do with health, sexual orientation, sex life, racial origin and religious beliefs.

The UK’s ICO cautions against using this data unless its use has been carefully risk assessed.  In particular if this data is shared as part of a profile it should not necessarily be used to help build segments for marketing purposes.

4. Distinguish between service messages and marketing messages

It may not be desirable or necessary to use all the data contained in a user profile to create segments for marketing. It would make sense to minimise the use of personal data and identify the key variables which will generate a sale.

The remainder of the data could be used to help deliver the service, but understanding the difference between service and marketing messages is paramount.

5. Right to be Forgotten is not an absolute right

It’s almost never a good idea to completely erase a data subject from your system as, somehow, you need to know not to add them back in again. This means keeping a small snippet of information in a suppression file to ensure they can never sign up for marketing again.

However, with the dating industry, there’s also the need to have safeguards in place to protect other members from stalkers, convicted rapists or other criminals. In this case, producing a DPIA and documenting the reasons for keeping any data is absolutely essential.

6. DSARs (Data Subject Access Requests) are growing

Individuals know their rights and are making more requests whether it’s through a third party or a direct request. In the US, there’s a similar requirement in California. Having the necessary processes in place to ensure these can be responded to within a month is key.

7. Removal of fake profiles is not a privacy matter

Within the terms and conditions of most dating sites will be the absolute right to remove fake profiles. This is not a privacy matter but part of the terms and conditions of use to protect other users.

8. Wean yourselves off use of third-party cookies

Although Firefox and Mozilla have already stopped supporting third party cookies for targeting purposes, Google’s decision to stop supporting them in 2022 is a game changer. Chrome represents over 65% of the browser market and their decision will effectively kill off third-party cookies.

Now is the time to think about alternative ways of targeting. This could be through the development of profiles using data you’ve compliantly collected yourselves, the use of contextual targeting tools or collaborations to share data insights. The world will change and the race is on to change ways of targeting.

9. Social media marketing is under scrutiny

What do you need to create look alike audiences on Facebook or Instagram? Can you create anonymised segments which can be uploaded for targeting? Do you need to upload emails to create segments and if you do, have you gained the necessary consent from your customers/prospects? Uploading emails is a high risk activity without consent.

10. Data breaches are endemic

In UK, 88% of companies were affected by a breach in last 12 months whilst in US the number is 49%.  The most recent ICO quarterly breach review indicated 72% of breaches were non-cyber security related.

In a nutshell, most problems are down to user error whether it’s not updating user access, not changing passwords, insecure data sharing. The list of possible infringements due to error are endless. For any organisation handling such huge volumes of personally sensitive data, the challenge is substantial.

We may have been talking about dating but these top 10 tips can apply to any digital business.


Data protection team over-stretched? Find out how we can support you with our Privacy Manager Service.